Tuesday, January 16, 2018

Bypassing Antivirus using Amber (Reflective PE Packer)

Amber is a proof-of-concept tool used for bypassing antivirus software. Amber uses techniques that convert Portable Executables (PEs) to reflectively load those PEs. This can be used as a multi-stage payload for infection on a target system. Amber takes advantage of in-memory execution methods. In-memory fileless execution can be defined as executing a compiled PE inside the memory, without actually writing data to storage. This results in fewer footprints, as the malware does not leave a file on the hard drive. This method also makes it difficult for any antivirus or anti-malware solutions to be used for detection...READ MORE

Wapack Labs has cataloged and reported on anti-detection tools in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

WWW.WAPACKLABS.COM

Sunday, January 14, 2018

Pyeongyang Olympics Volunteers Targeted with Malware

TACTICAL CYBER INTELLIGENCE REPORT

Actor Type: II
Serial: TR-18-014-001
Countries: All, KP, KR
Report Date: 20180114

Pyeongyang Olympics Volunteers Targeted with Malware

Wapack Labs observed two specimens of a macro-malware believed to be targeting volunteers at the 2018 Winter Olympics, Pyeongyang, South Korea.  Two XLSM documents were uploaded to Virus Total from Korea in late November.  The documents are trojanized versions of a benign XLS spreadsheet which is hosted on the official 2018 Winter Olympics website vol.pyeongchang2018.com[1].




The benign spreadsheet that was used to create the malicious documents contains logistic details for Olympic volunteers. This would suggest either Olympics volunteers or the Olympic Volunteer portal as the intended target. While the exact malware delivery mechanism is unclear, it is possible it may have been delivered on a spoofed version of the legitimate pyeongchang2018.com or in a targeted spear phish.

The files were named, 20171115_평창_자원봉사_직무__베뉴_소개.xlsm, which translates to PyeongChang volunteer job and introduction.”   The benign equivalent hosted on the Olympics website, is similarly named 평창_자원봉사_직무__베뉴_소개(17.12.04).xlsx.  The malicious filetypes are XLSM files (Macro-Enabled Workbook), meaning they are configured to run macros automatically if they are not disabled.  The embedded macro contains a crudely encoded powershell command.


This command contains another layer of base64 encoding:


The result is shellcode, which initiates an SSL call back.  This exact technique was documented in 2016 on softwaregrp.com. [2]


The observed call-back is a Korean IP Address, 121.158.16.99 however, it was offline during sandoxing.  Further analysis revealed the IP as hosting a fraudulent version of the Olympics domain: pyeongchang2018.or.kr.  The actors used a Korean registrar and a Korean webmail for the registrant email.  The registrant email, qotjdlf@hanmail.net, is linked to yet another fraudulent Olympics domain pyeongchang2018.kr. Both list a registrant name of, “BAESEOIL”.

Domain Name: pyeongchang2018.or.kr
Registrant: BAESEOIL
Administrative Contact(AC): BAESEOIL
AC E-Mail: qotjdlf@hanmail.net
Registered Date: 2017. 09. 18.
Last Updated Date: 2017. 09. 18.
Expiration Date: 2018. 09. 18.
Publishes: N
Authorized Agency: Whois Corp.(http://whois.co.kr)
DNSSEC: unsigned

Primary Name Server
   Host Name: ns1.whoisdomain.kr
   IP Address: 211.206.125.156

Secondary Name Server
   Host Name: ns2.whoisdomain.kr
   IP Address: 222.122.218.45
   Host Name: ns3.whoisdomain.kr
   IP Address: 110.45.166.139
   Host Name: ns4.whoisdomain.kr
   IP Address: 219.251.156.134


Indicators of Compromise:
MD5:          0c497e6b84251e3aea924a0ccb7e584b

                  1e9ccfd3b67c587644d30ede319f9f33
IP:             121.158.16.99
Domains:   pyeongchang2018.or.kr
                     pyeongchang2018.kr


Conclusion:
Olympic themed attacks are likely to escalate leading up to the games in February. The attribution for this incident is unclear, however it is important to note that the leveraged IP address, registrar, and even registrant email is all based in Korea. This would either indicate a Korean-based actor, or a higher level of tradecraft and attention to detail which is a hallmark of state-sponsored activity. 

Contact the Wapack Labs for more information: 603-606-1246, or feedback@wapacklabs.com






[1] https://vol.pyeongchang2018.com/ko/news/notices/standard/view?menuId=213&bbsId=24&cnId=169&rows=9&pageNo=1&searchOpt=&searchTxt=&sortSeCd=3
[2] https://community.softwaregrp.com/t5/Security-Research/From-Macro-to-SSL-with-Shellcode-A-Detailed-Deconstruction/ba-p/245485#.Wlq406inGvu

Friday, January 12, 2018

Nigerian Hacker Leveraging Predator Pain Keylogger

TLP AMBER ANNOUNCEMENT: 

Wapack Labs identified a Nigerian hacker who was responsible for a large 2017 Predator Pain keylogger collection. This actor is actively targeting company sales departments in the Asia-Pacific region with malicious spam e-mails. Once he has established persistence on a target, he monitors internal network activity, records E-mail correspondence, and impersonates company personnel by sending contractors fake invoices...READ MORE 

Wapack Labs has cataloged and reported on Nigerian threat actors in the past. An archive of related reporting can be found in the Red Sky Alliance portal.    
 
 WWW.WAPACKLABS.COM 

This TLP AMBER report is available only to Red Sky Alliance members.

Wednesday, January 10, 2018

Wapack Labs Sinkhole Blacklist

TLP AMBER ANNOUNCEMENT: 
 
Reporting Period: January 08, 2018
 
Wapack Labs identified connections from 1004 new unique IP addresses, which are checking in with one of the many Wapack Labs sinkhole domains.

Contact Wapack Labs for more information: 603-606-1246, or feedback@wapacklabs.com
 
Action recommendation: Users should immediately place each of these IP addresses in a monitor or block status in intrusion prevention systems. 

WWW.WAPACKLABS.COM
 
This TLP AMBER report is available only to Red Sky Alliance members.

Wapack Labs Keylogger Blacklist

TLP AMBER ANNOUNCEMENT: 
 
Compromised Email Accounts
Reporting Period: Jan 08, 2018


On 08 January 2017, Wapack Labs identified 357 ‘new’ unique email accounts compromised with keyloggers, and used to log into mostly personal accounts and three organizations. Attackers may be able to access not only email addresses, but also financial, social media and other data.

Contact Wapack Labs for more information: 603-606-1246, or feedback@wapacklabs.com 

Action recommendation: Users should immediately place each of these email accounts in a block status in intrusion prevention systems. 

WWW.WAPACKLABS.COM

This TLP AMBER report is available only to Red Sky Alliance members.

Tuesday, January 9, 2018

Meltdown and Spectre Exploitation Reporting

TLP AMBER ANNOUNCEMENT: 

On 2 January 2018, British newspaper The Register published an article describing a design flaw present in all of Intel’s modern processors. The bug is a possible vulnerability in the kernel page table isolation feature. The concept concerns with how microarchitecture design makes speculative references in memory and how they may be exploited by an attacker to read kernel address space layout randomization. This report provides situational awareness for our members. Stay cognizant for updates as major technology companies such as Apple, Amazon, Google, Microsoft, and VMware respond. Intel has already responded stating that the allegations of these exploits are false and that any exploit is not unique to its chip design...READ MORE 

Wapack Labs has cataloged and reported on vulnerability exploitation in the past. An archive of related reporting can be found in the Red Sky Alliance portal.   


This TLP AMBER report is available only to Red Sky Alliance members.

Friday, January 5, 2018

Iranian Protests and Cyber Hacktivism

Wapack Labs analysts have been monitoring the recent demonstrations in Iran involving discontent toward the Islamic Republic seated in the aftermath of the 1979 Revolution. Iranian dissidents and activists took to the streets by the thousands, chanting slogans like “We don’t want an Islamic Republic” and “Death to the dictator”, as they tore down pictures of Supreme Leader Khamenei and set fire to the Governor’s office. Protests began in the second most populous city in Iran, Mashhad, built centered on the Holy Shrine of Imam Reza, which remains a place for religious pilgrimage. By day two, the protests, with the help of the instant messaging service ‘Telegram’, gained momentum reaching the very western city of Kermanshah. As the Iranian government took steps to block media platforms like Instagram, Twitter, and Telegram, the third day of protests had already spread from the northern city of Tabriz to the southern port city of Bandar Abbas...READ MORE
 
Wapack Labs has cataloged and reported on cyber hacktivism in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

Thursday, January 4, 2018

The Iranian Cyber Evolution: RATs, Backdoors, and Droppers

Wapack Labs has been monitoring Iranian cyber activity for several years, specifically the evolving OilRig and Greenbug campaigns. Their adoption of a cyber operational paradigm involving both cyber hacktivism and cyber espionage tactics resembles cyber activity patterns employed by Chinese APT groups, whereby different groups perform different campaigns, with multiple teams conducting separate phases of a cyber campaign. With President Trump’s refusal to re-certify Iran’s compliance with the 2015 Iran nuclear agreement, Wapack analysts are researching the continued efforts of Iranian-backed cyber threats in order to detect and defend against next moves. 

One common attribute is that they all engage in prolonged reconnaissance campaigns of their targets; at times lasting over a year. Greenbug, a cyber-espionage group with suspected Iranian ties, has been dynamically progressing in such campaigns. In August 2017, a Greenbug tool, dubbed ISMAgent (an ISMDoor variant), resurfaced in the wild to harvest account credentials. Wapack Labs discovered evidence of ISMDoor variants relying on the VB:Trojan.Valyria (possibly Clayside) for delivery, linking Greenbug to another group of Iranian actors known as OilRig. Wapack Labs assesses with moderate confidence that recent activity involving ISMDoor is an indicator of the ramping up of another cyber campaign cycle...READ MORE

Wapack Labs has cataloged and reported on Iranian cyber activity in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

2018 Cyber Security Threat and Vulnerability Predictions

This report encapsulates our predictions regarding the most significant cyber threats and vulnerabilities for 2018.
  • Phishing: Will likely become more popular among novice and criminal hackers.
  • Account Targeting: Account credentials are increasingly more available.
  • Democratization of Cyber Weapons: 2017 saw the most high-profile ransomware attack to-date with the Wannacry worm.
  • Tor Network: 2018 is the year of fighting and winning against the abuse of the Tor network.
  • Macro Malware: The popularity of malicious macros for malware delivery continued strong in 2017.
  • Geopolitical Tensions: Iran and North Korea tensions continue.
  • Blockchain-related Cybercrime: With the establishment of Bitcoin futures and general interest to blockchain technologies, exploitation in this field grows too...READ MORE
Wapack Labs has cataloged and reported on cyber threats and vulnerabilities in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

WWW.WAPACKLABS.COM

Friday, December 29, 2017

Implications of the EU General Data Protection Regulation

The European Union (EU) General Data Protection Regulation (GDPR) will go into force in May 2018. This is a comprehensive change to data protection regulations in the EU, but it will also require foreign companies that collect data on EU citizens to comply with its provisions. The GDPR establishes requirements in many areas that go beyond existing regulations or the security practices of U.S. companies. The greatest potential impact on U.S. companies and cybersecurity personnel is the schedule of penalties that can be imposed for data breaches or other failures to comply with the GDPR. Fines of up to $24 million or 4% of worldwide annual turnover for the year of the infraction can be levied against a company. This creates a possible opportunity for hackers that breach the data holdings of a major corporation. They can threaten to expose the breach, which would trigger huge fines unless the hackers are paid a substantial ransom to keep quiet...READ MORE
 
Wapack Labs has cataloged and reported on data protection regulations in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

WWW.WAPACKLABS.COM 

Thursday, December 28, 2017

Wapack Labs Keylogger Blacklist

TLP AMBER ANNOUNCEMENT:

Compromised Email Accounts
Reporting Period: Dec 28, 2017

On 28 December 2017, Wapack Labs identified 32 ‘new’ unique email accounts compromised with keyloggers, and used to log into mostly personal accounts and three organizations. Attackers may be able to access not only email addresses, but also financial, social media and other data.

Contact Wapack Labs for more information: 603-606-1246, or feedback@wapacklabs.com

Action recommendation: Users should immediately place each of these email accounts in a block status in intrusion prevention systems.


This TLP AMBER report is available only to Red Sky Alliance members.

Wapack Labs Sinkhole Blacklist

TLP AMBER ANNOUNCEMENT:

Reporting Period: December 28, 2017

Wapack Labs identified connections from 811 new unique IP addresses, which are checking in with one of the many Wapack Labs sinkholed domains.

Contact Wapack Labs for more information: 603-606-1246, or feedback@wapacklabs.com

Action recommendation: Users should immediately place each of these IP addresses in a monitor or block status in intrusion prevention systems.


This TLP AMBER report is available only to Red Sky Alliance members.

Sunday, December 24, 2017

Happy Holidays From Wapack Labs!



May this Holiday Season and the New Year bring you Peace and Happiness. Have some fun, enjoy our video, stay safe, and see you online! All our best - The Wapack Labs Team.

 Happy Holidays from Wapack Labs

The Wapack Labs Team
www.wapacklabs.com
1-844-4-WAPACK (1-844-492-7225)

Friday, December 22, 2017

Hackers Compromised Russian Bank And Used SWIFT for Withdrawal

On 15 December 2017, a Russian bank lost somewhere between $100,000 and $1 million US dollars after hackers sent SWIFT wire transfers abroad to Europe, Asia, and America. The bank was compromised (medium confidence) by a hacker group who sent malicious attachments to a number of different banks a few weeks prior. SWIFT was not compromised, but was used as a tool to siphon money from the compromised bank. The bank is going through ownership reorganization. Prior to this incident, it was receiving financial regulator warnings regarding its cyber security posture...READ MORE

Wapack Labs has cataloged and reported on attacks targeting banks and SWIFT in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

Thursday, December 21, 2017

Terdot Banking Trojan

TLP AMBER ANNOUNCEMENT:

Terdot is a multipurpose banking trojan developed using Zeus source code leaked in 2011. The latest version of Terdot surfaced in 2016 and incorporates new surveillance capabilities. Now that the Terdot trojan features cyber espionage capabilities it is more likely to be sought after by attackers. Like its predecessor Zeus, some of Terdot's features and configurations indicate a high likelihood of Russian origins. This report examines Terdot’s new capabilities, infrastructure, attribution and delivery mechanisms...READ MORE

Wapack Labs has cataloged and reported on banking trojans in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

WWW.WAPACKLABS.COM

This TLP AMBER report is available only to Red Sky Alliance members.